[Opendnssec-develop] [Fwd: [DNSOP] Changing NSEC3 salts regularly is useless]

Jerry Lundström jerry at opendnssec.org
Fri Jul 25 05:52:18 UTC 2014


-------- Forwarded Message --------
> From: Mark Andrews <marka at isc.org>
> To: dnsop at ietf.org <dnsop at ietf.org>
> Subject: [DNSOP] Changing NSEC3 salts regularly is useless
> Date: Fri, 25 Jul 2014 00:02:09 +0200
> I just sent the following to bind-users.  We need to kill the myth
> that changing NSEC3 salt provides any real benefit.
> "Actually it is useless to change the salt regularly.  Changing the
> salt provides no real benefit against discovering the names in a
> zone which is the reason people were saying to change the salt.
> The attacker uses cached NSEC3 records.  When it gets a cache miss
> it asks the servers for the zone, puts the answer in the cache and
> continues.  When the salt changes it just maintains multiple nsec3
> chains eventually discarding the old nsec3 chain eventually.  I
> would wait until the new NSEC3 chain has as many cached records as
> the old NSEC3 chain.  Changing the salt slows things up miniminally
> for a very short period of time after the change.  Additionally
> once you have some names you ask for those names for a non-exisisting
> type to quickly pull in part of the new NSEC3 chain you know exists.
> The only reason to change the salt is if you have a collision of
> the hashed names.  This will be a very very very rare event."
> Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE:	+61 2 9871 4742		         INTERNET: marka at isc.org
> _______________________________________________
> DNSOP mailing list
> DNSOP at ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

Jerry Lundström - OpenDNSSEC Developer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 643 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20140725/ff66dbc7/attachment.bin>

More information about the Opendnssec-develop mailing list